U.S. patent application number 12/498675 was filed with the patent office on 2011-01-13 for method and apparatus for ascertaining data access permission of groups of users to groups of data elements.
This patent application is currently assigned to VARONIS SYSTEMS,INC.. Invention is credited to Yakov FAITELSON, Yzhar KEYSAR, Ohad KORKUS.
Application Number | 20110010758 12/498675 |
Document ID | / |
Family ID | 43428463 |
Filed Date | 2011-01-13 |
United States Patent
Application |
20110010758 |
Kind Code |
A1 |
FAITELSON; Yakov ; et
al. |
January 13, 2011 |
METHOD AND APPARATUS FOR ASCERTAINING DATA ACCESS PERMISSION OF
GROUPS OF USERS TO GROUPS OF DATA ELEMENTS
Abstract
A method for ascertaining access permissions of users to
computer resources on a storage unit, the method including grouping
users into a plurality of user groups wherein all members of at
least one of the user groups have at least nearly identical
user/resource access permissions to the computer resources,
grouping resources into a plurality of resource groups wherein all
members of at least one of the resource groups have at least nearly
identical resource/user access permissions, ascertaining whether a
given user is a member of a user group, if the given user is a
member of a user group, ascribing to the given user the
user/resource access permissions of the user group, ascertaining
whether a given resource is a member of a resource group, and if
the given resource is a member of a resource group, ascribing to
the given resource the resource/user access permissions of the
resource group.
Inventors: |
FAITELSON; Yakov; (Elkana,
IL) ; KORKUS; Ohad; (Herzeliya, IL) ; KEYSAR;
Yzhar; (Kohav-Yair, IL) |
Correspondence
Address: |
SUGHRUE MION, PLLC
2100 PENNSYLVANIA AVENUE, N.W., SUITE 800
WASHINGTON
DC
20037
US
|
Assignee: |
VARONIS SYSTEMS,INC.
New York
NY
|
Family ID: |
43428463 |
Appl. No.: |
12/498675 |
Filed: |
July 7, 2009 |
Current U.S.
Class: |
726/4 |
Current CPC
Class: |
G06F 21/6218 20130101;
G06F 9/468 20130101; H04L 9/32 20130101; H04L 63/101 20130101; G06F
2221/2141 20130101; H04L 63/104 20130101 |
Class at
Publication: |
726/4 |
International
Class: |
H04L 9/32 20060101
H04L009/32; G06F 15/16 20060101 G06F015/16 |
Claims
1. A method for ascertaining access permissions of a first
multiplicity of users to a second multiplicity of computer
resources on at least one storage unit, the method comprising:
grouping users, among said first multiplicity of users, into a
first plurality of groups wherein all members of at least one of
said first plurality of groups have at least nearly identical
user/resource access permissions to said second multiplicity of
computer resources on said at least one storage unit; grouping
resources, among said second multiplicity of computer resources,
into a second plurality of groups wherein all members of at least
one of said second plurality of groups have at least nearly
identical resource/user access permissions; ascertaining whether a
given user is a member of one of said first plurality of groups; if
said given user is a member of said one of said first plurality of
groups, ascribing to said given user the user/resource access
permissions of said one of said first plurality of groups;
ascertaining whether a given resource is a member of one of said
second plurality of groups; and if said given resource is a member
of said one of said second plurality of groups, ascribing to said
given resource the resource/user access permissions of said one of
said second plurality of groups.
2. A method according to claim 1 and wherein said grouping users
comprises: identifying a set of user security groups, each of said
user security groups having access permissions to at least one of
said second multiplicity of computer resources on said at least one
storage unit; identifying, for each user of said first multiplicity
of users, a subset of said user security groups of which said user
is a member; and if a first subset of said user security groups, of
which a first user of said first multiplicity of users is a member,
is identical to a second subset of said user security groups, of
which a second user of said first multiplicity of users is a
member, grouping said first user and said second user in a single
one of said first plurality of groups with respect to said at least
one storage unit.
3. A method according to claim 1 and wherein said grouping users
comprises dividing said second multiplicity of computer resources
into at least two portions, and grouping said users, among said
first multiplicity of users, into said first plurality of groups
wherein all members of one of said first plurality of groups have
at least nearly identical user/resource access permissions to
computer resources included in one of said at least two
portions.
4. A method according to claim 3 and wherein said dividing
comprises: for each user of said first multiplicity of users,
calculating a fraction of said second multiplicity of computer
resources to which said user has access permissions, and comparing
said fraction to a threshold value; denoting each user, for whom
said fraction is smaller than said threshold value, as a degenerate
security group; and defining a first portion of said second
multiplicity of computer resources to be the union of all computer
resources which include access permissions for any degenerate
security group.
5. A method according to claim 1 and wherein computer resources in
said second multiplicity of computer resources are arranged in a
computer resource hierarchy.
6. A method according to claim 5 and wherein said grouping
resources comprises: for each resource in said computer resource
hierarchy, retrieving the resource/user access permissions of said
resource and the resource/user access permissions of an immediate
ancestor of said resource in said computer resource hierarchy; and
if said resource/user access permissions of said immediate ancestor
are identical to said resource/user access permissions of said
resource, grouping said resource and said immediate ancestor in a
single one of said second plurality of groups.
7. A method according to claim 6 and wherein said grouping said
resource comprises: providing a pointer from said resource to said
immediate ancestor; and extending pointers which point to said
resource to point to said immediate ancestor.
8. A method for ascertaining access permissions of a first
multiplicity of users to a second multiplicity of computer
resources on at least one storage unit, the method comprising:
grouping users, among said first multiplicity of users, into a
first plurality of groups wherein all members of at least one of
said first plurality of groups have at least nearly identical
user/resource access permissions to said second multiplicity of
computer resources on said at least one storage unit; ascertaining
whether a given user is a member of one of said first plurality of
groups; and if said given user is a member of said one of said
first plurality of groups, ascribing to said given user the
user/resource access permissions of said one of said first
plurality of groups.
9. A method according to claim 8 and wherein said grouping users
comprises: identifying a set of user security groups, each of said
user security groups having access permissions to at least one of
said second multiplicity of computer resources on said at least one
storage unit; identifying, for each of said first multiplicity of
users, a subset of said user security groups of which said user is
a member; and if a first subset of said user security groups, of
which a first user of said first multiplicity of users is a member,
is identical to a second subset of said user security groups, of
which a second user of said first multiplicity of users is a
member, grouping said first user and said second user in a single
one of said first plurality of groups with respect to said at least
one storage unit.
10. A method according to claim 8 and wherein said grouping users
comprises dividing said second multiplicity of computer resources
into at least two portions, and grouping said users, among said
first multiplicity of users, into said first plurality of groups
wherein all members of one of said first plurality of groups have
at least nearly identical user/resource access permissions to
computer resources included in one of said at least two
portions.
11. A method according to claim 10 and wherein said dividing
comprises: for each user of said first multiplicity of users,
calculating a fraction of said second multiplicity of computer
resources to which said user has access permissions, and comparing
said fraction to a threshold value; denoting each user, for whom
said fraction is smaller than said threshold value, as a degenerate
security group; and defining a first portion of said second
multiplicity of computer resources to be the union of all computer
resources which include access permissions for any degenerate
security group.
12. A method for ascertaining access permissions of a first
multiplicity of users to a second multiplicity of computer
resources on at least one storage unit, the method comprising:
grouping resources, among said second multiplicity of computer
resources, into a plurality of groups wherein all members of at
least one of said plurality of groups have at least nearly
identical resource/user access permissions; ascertaining whether a
given resource is a member of one of said plurality of groups; and
if said given resource is a member of said one of said plurality of
groups, ascribing to said given resource the resource/user access
permissions of said one of said plurality of groups.
13. A method according to claim 12 and wherein computer resources
in said second multiplicity of computer resources are arranged in a
computer resource hierarchy.
14. A method according to claim 13 and wherein said grouping
resources comprises: for each resource it said computer resource
hierarchy, retrieving the resource/user access permissions of said
resource and the resource/user access permissions of an immediate
ancestor of said resource in said computer resource hierarchy; and
if said resource/user access permissions of said immediate ancestor
are identical to said resource/user access permissions of said
resource, grouping said resource and said immediate ancestor in a
single one of said second plurality of groups.
15. A method according to claim 14 and wherein said grouping said
resource comprises: providing a pointer from said resource to said
immediate ancestor; and extending pointers which point to said
resource to point to said immediate ancestor.
16. Apparatus for ascertaining access permissions of a first
multiplicity of users to a second multiplicity of computer
resources on at least one storage unit, the apparatus comprising:
user grouping functionality operative to group users, among said
first multiplicity of users, into a first plurality of groups
wherein all members of at least one of said first plurality of
groups have at least nearly identical user/resource access
permissions to said second multiplicity of computer resources on
said at least one storage unit; computer resource grouping
functionality operative to group computer resources, among said
second multiplicity of computer resources, into a second plurality
of groups wherein all members of at least one of said second
plurality of groups have at least nearly identical resource/user
access permissions; user access permissions ascribing functionality
operative to ascertain whether a given user is a member of one of
said first plurality of groups, and if said given user is a member
of said one of said first plurality of groups, to ascribe to said
given user the user/resource access permissions of said one of said
first plurality of groups; and computer resource access permissions
ascribing functionality operative to ascertain whether a given
computer resource is a member of one of said second plurality of
groups, and if said given computer resource is a member of said one
of said second plurality of groups, to ascribe to said given
computer resource the resource/user access permissions of said one
of said second plurality of groups.
17. Apparatus according to claim 16 and wherein said user grouping
functionality comprises: user security group identification
functionality operative to identify a plurality of user security
groups, each of said user security groups having access permissions
to at least one of said second multiplicity of computer resources
on said at least one storage unit; user security group subset
identification functionality operative to identify, for each of
said first multiplicity of users, a subset of said user security
groups of which said user is a member; and user subset comparison
functionality operative to group a first user and a second user in
a single one of said first plurality of groups, with respect to
said at least one storage unit, if a first subset of said user
security groups of which said first user is a member is identical
to a second subset of said user security groups of which said
second user is a member.
18. Apparatus according to claim 16 and also comprising a computer
resource dividing functionality operative to divide said second
multiplicity of computer resources into at least two portions, and
wherein said user grouping functionality is operative to group
users, among said first multiplicity of users, into said first
plurality of groups wherein all members of one of said first
plurality of groups have at least nearly identical user/resource
access permissions to computer resources included in one of said at
least two portions.
19. Apparatus according to claim 18 and wherein said computer
resource dividing functionality comprises: fraction calculating
functionality operative, for each user of said first multiplicity
of users, to calculate a fraction of said second multiplicity of
computer resources to which said user has access permissions, and
to compare said fraction to a threshold value; user denoting
functionality operative to denote each user, for whom said fraction
is smaller than said threshold value, as a degenerate security
group; and portion defining functionality operative to define a
first portion of said second multiplicity of computer resources to
be the union of all computer resources which include access
permissions for any degenerate security group.
20. Apparatus according to claim 16 and wherein computer resources
in said second multiplicity of computer resources are arranged in a
computer resource hierarchy.
21. Apparatus according to claim 20 and wherein said computer
resource grouping functionality comprises: resource/user access
permissions retrieval functionality operative, for each resource in
said computer resource hierarchy, to retrieve the resource/user
access permissions of said resource and the resource/user access
permissions of an immediate ancestor of said resource in said
computer resource hierarchy; and resource/user access permissions
comparison functionality, operative to compare said resource/user
access permissions of said resource to said resource/user access
permissions of said immediate ancestor, and if said resource/user
access permissions of said immediate ancestor are identical to said
resource/user access permissions of said given resource, to group
said resource and said immediate ancestor in a single one of said
second plurality of groups.
22. Apparatus according to claim 21 and wherein said resource/user
access permissions comparison functionality is operative to provide
a pointer from said resource to said immediate ancestor and to
extend pointers which point to said resource to point to said
immediate ancestor.
23. Apparatus for ascertaining access permissions of a first
multiplicity of users to a second multiplicity of computer
resources on at least one storage unit, the apparatus comprising:
user grouping functionality operative to group users, among said
first multiplicity of users, into a first plurality of groups
wherein all members of at least one of said first plurality of
groups have at least nearly identical user/resource access
permissions to said second multiplicity of computer resources on
said at least one storage unit; and user access permissions
ascribing functionality operative to ascertain whether a given user
is a member of one of said first plurality of groups, and if said
given user is a member of said one of said first plurality of
groups, to ascribe to said given user the user/resource access
permissions of said one of said first plurality of groups.
24. Apparatus according to claim 23 and wherein said user grouping
functionality comprises: user security group identification
functionality operative to identify a plurality of user security
groups, each of said user security groups having access permissions
to at least one of said second multiplicity of computer resources
on said at least one storage unit; user security group subset
identification functionality operative to identify, for each of
said first multiplicity of users, a subset of said user security
groups of which said user is a member; and user subset comparison
functionality operative to group a first user and a second user in
a single one of said first plurality of groups, with respect to
said at least one storage unit, if a first subset of said user
security groups of which said first user is a member is identical
to a second subset of said user security groups of which said
second user is a member.
25. Apparatus according to claim 23 and also comprising a computer
resource dividing functionality operative to divide said second
multiplicity of computer resources into at least two portions, and
wherein said user grouping functionality is operative to group
users, among said first multiplicity of users, into said first
plurality of groups wherein all members of one of said first
plurality of groups have at least nearly identical user/resource
access permissions to computer resources included in one of said at
least two portions.
26. Apparatus according to claim 25 and wherein said computer
resource dividing functionality comprises: fraction calculating
functionality operative, for each user of said first multiplicity
of users, to calculate a fraction of said second multiplicity of
computer resources to which said user has access permissions, and
to compare said fraction to a threshold value; user denoting
functionality operative to denote each user, for whom said fraction
is smaller than said threshold value, as a degenerate security
group; and portion defining functionality operative to define a
first portion of said second multiplicity of computer resources to
be the union of all computer resources which include access
permissions for any degenerate security group.
27. Apparatus for ascertaining access permissions of a first
multiplicity of users to a second multiplicity of computer
resources on at least one storage unit, the apparatus comprising:
computer resource grouping functionality operative to group
resources, among said second multiplicity of computer resources,
into a second plurality of groups wherein all members of at least
one of said second plurality of groups have at least nearly
identical resource/user access permissions; and computer resource
access permissions ascribing functionality operative to ascertain
whether a given computer resource is a member of one of said second
plurality of groups, and if said given computer resource is a
member of said one of said second plurality of groups, to ascribe
to said given computer resource the resource/user access
permissions of said one of said second plurality of groups.
28. Apparatus according to claim 27 and wherein computer resources
in said second multiplicity of computer resources are arranged in a
computer resource hierarchy.
29. Apparatus according to claim 28 and wherein said computer
resource grouping functionality comprises: resource/user access
permissions retrieval functionality operative, for each resource in
said computer resource hierarchy, to retrieve the resource/user
access permissions of said resource and the resource/user access
permissions of an immediate ancestor of said resource in said
computer resource hierarchy; and resource/user access permissions
comparison functionality, operative to compare said resource/user
access permissions of said resource to said resource/user access
permissions of said immediate ancestor, and if said resource/user
access permissions of said immediate ancestor are identical to said
resource/user access permissions of said resource, to group said
resource and said immediate ancestor in a single one of said second
plurality of groups.
30. Apparatus according to claim 29 and wherein said resource/user
access permissions comparison functionality is operative to provide
a pointer from said resource to said immediate ancestor and to
extend pointers which point to said resource to point to said
immediate ancestor.
Description
FIELD OF THE INVENTION
[0001] The present invention relates to data security generally and
more particularly to data security in large organizations having a
large number of resources and a large number of users.
BACKGROUND OF THE INVENTION
[0002] The following U.S. Patents are believed to represent the
current state of the art: U.S. Pat. Nos. 6,772,350; 6,308,173 and
5,889,952.
SUMMARY OF THE INVENTION
[0003] The present invention seeks to provide methodology and a
system for ascertaining access permissions of users to computer
resources in a large organization having a large number of
resources and a large number of users.
[0004] There is thus provided ill accordance with a preferred
embodiment of the present invention a method for ascertaining
access permissions of a first multiplicity of users to a second
multiplicity of computer resources on at least one storage unit,
the method including:
[0005] grouping users, among the first multiplicity of users, into
a first plurality of groups wherein all members of at least one of
the first plurality of groups have at least nearly identical
user/resource access permissions to the second multiplicity of
computer resources on the at least one storage unit,
[0006] grouping resources, among the second multiplicity of
computer resources, into a second plurality of groups wherein all
members of at least one of the second plurality of groups have at
least nearly identical resource/user access permissions,
[0007] ascertaining whether a given user is a member of one of the
first plurality of groups,
[0008] if the given user is a member of the one of the first
plurality of groups, ascribing to the given user the user/resource
access permissions of the one of the first plurality of groups,
[0009] ascertaining whether a given resource is a member of one of
the second plurality of groups, and
[0010] if the given resource is a member of the one of the second
plurality of groups, ascribing to the given resource the
resource/user access permissions of the one of the second plurality
of groups.
[0011] In accordance with a preferred embodiment of the present
invention the grouping users includes identifying a set of user
security groups, each of the user security groups having access
permissions to at least one of the second multiplicity of computer
resources on the at least one storage unit, identifying, for each
user of the first multiplicity of users, a subset of the user
security groups of which the user is a member, and if a first
subset of the user security groups, of which a first user of the
first multiplicity of users is a member, is identical to a second
subset of the user security groups, of which a second user of the
first multiplicity of users is a member, grouping the first user
and the second user in a single one of the first plurality of
groups with respect to the at least one storage unit.
[0012] In accordance with a further preferred embodiment of the
present invention the grouping users includes dividing the second
multiplicity of computer resources into at least two portions, and
grouping the users, among the first multiplicity of users, into the
first plurality of groups wherein all members of one of the first
plurality of groups have at least nearly identical user/resource
access permissions to computer resources included in one of the at
least two portions.
[0013] In accordance with another preferred embodiment of the
present invention the dividing includes for each user of the first
multiplicity of users, calculating a fraction of the second
multiplicity of computer resources to which the user has access
permissions, and comparing the fraction to a threshold value,
denoting each user, for whom the fraction is smaller than the
threshold value, as a degenerate security group, and defining a
first portion of the second multiplicity of computer resources to
be the union of all computer resources which include access
permissions for any degenerate security group.
[0014] In accordance with another preferred embodiment of the
present invention, computer resources in the second multiplicity of
computer resources are arranged in a computer resource hierarchy.
Preferably, the grouping resources includes for each resource in
the computer resource hierarchy, retrieving the resource/user
access permissions of the resource and the resource/user access
permissions of an immediate ancestor of the resource in the
computer resource hierarchy, and if the resource/user access
permissions of the immediate ancestor are identical to the
resource/user access permissions of the resource, grouping the
resource and the immediate ancestor in a single one of the second
plurality of groups. Additionally or alternatively, the grouping
the resource includes providing a pointer from the resource to the
immediate ancestor and extending pointers which point to the
resource to point to the immediate ancestor.
[0015] There is additionally provided, in accordance with another
preferred embodiment of the present invention, a method for
ascertaining access permissions of a first multiplicity of users to
a second multiplicity of computer resources on at least one storage
unit, the method including grouping users, among the first
multiplicity of users, into a first plurality of groups wherein all
members of at least one of the first plurality of groups have at
least nearly identical user/resource access permissions to the
second multiplicity of computer resources on the at least one
storage unit, ascertaining whether a given user is a member of one
of the first plurality of groups, and if the given user is a member
of the one of the first plurality of groups, ascribing to the given
user the user/resource access permissions of the one of the first
plurality of groups.
[0016] In accordance with a preferred embodiment of the present
invention the grouping users includes identifying a set of user
security groups, each of the user security groups having access
permissions to at least one of the second multiplicity of computer
resources on the at least one storage unit, identifying, for each
of the first multiplicity of users, a subset of the user security
groups of which the user is a member, and if a first subset of the
user security groups, of which a first user of the first
multiplicity of users is a member, is identical to a second subset
of the user security groups, of which a second user of the first
multiplicity of users is a member, grouping the first user and the
second user in a single one of the first plurality of groups with
respect to the at least one storage unit.
[0017] In accordance with another preferred embodiment of the
present invention the grouping users includes dividing the second
multiplicity of computer resources into at least two portions, and
grouping the users, among the first multiplicity of users, into the
first plurality of groups wherein all members of one of the first
plurality of groups have at least nearly identical user/resource
access permissions to computer resources included in one of the at
least two portions. Preferably, the dividing includes for each user
of the first multiplicity of users, calculating a fraction of the
second multiplicity of computer resources to which the user has
access permissions, and comparing the fraction to a threshold
value, denoting each user, for whom the fraction is smaller than
the threshold value, as a degenerate security group, and defining a
first portion of the second multiplicity of computer resources to
be the union of all computer resources which include access
permissions for any degenerate security group.
[0018] There is additionally provided, in accordance with an
additional preferred embodiment of the present invention, a method
for ascertaining access permissions of a first multiplicity of
users to a second multiplicity of computer resources on at least
one storage unit, the method including grouping resources, among
the second multiplicity of computer resources, into a plurality of
groups wherein all members of at least one of the plurality of
groups have at least nearly identical resource/user access
permissions, ascertaining whether a given resource is a member of
one of the plurality of groups, and if the given resource is a
member of the one of the plurality of groups, ascribing to the
given resource the resource/user access permissions of the one of
the plurality of groups.
[0019] In accordance with a preferred embodiment of the present
invention, the computer resources in the second multiplicity of
computer resources are arranged in a computer resource hierarchy.
Preferably, the grouping resources includes for each resource in
the computer resource hierarchy, retrieving the resource/user
access permissions of the resource and the resource/user access
permissions of an immediate ancestor of the resource in the
computer resource hierarchy, and if the resource/user access
permissions of the immediate ancestor are identical to the
resource/user access permissions of the resource, grouping the
resource and the immediate ancestor in a single one of the second
plurality of groups.
[0020] In accordance with a further preferred embodiment of the
present invention the grouping the resource includes providing a
pointer from the resource to the immediate ancestor and extending
pointers, which point to the resource to point to the immediate
ancestor.
[0021] There is further provided in accordance with a yet another
preferred embodiment of the present invention apparatus for
ascertaining access permissions of a first multiplicity of users to
a second multiplicity of computer resources on at least one storage
unit, the apparatus including:
[0022] user grouping functionality operative to group users, among
the first multiplicity of users, into a first plurality of groups
wherein all members of at least one of the first plurality of
groups have at least nearly identical user/resource access
permissions to the second multiplicity of computer resources on the
at least one storage unit,
[0023] computer resource grouping functionality operative to group
computer resources, among the second multiplicity of computer
resources, into a second plurality of groups wherein all members of
at least one of the second plurality of groups have at least nearly
identical resource/user access permissions,
[0024] user access permissions ascribing functionality operative to
ascertain whether a given user is a member of one of the first
plurality of groups, and if the given user is a member of the one
of the first plurality of groups, to ascribe to the given user the
user/resource access permissions of the one of the first plurality
of groups, and
[0025] computer resource access permissions ascribing functionality
operative to ascertain whether a given computer resource is a
member of one of the second plurality of groups, and if the given
computer resource is a member of the one of the second plurality of
groups, to ascribe to the given computer resource the resource/user
access permissions of the one of the second plurality of
groups.
[0026] In accordance with a preferred embodiment of the present
invention the user grouping functionality includes user security
group identification functionality operative to identify a
plurality of user security groups, each of the user security groups
having access permissions to at least one of the second
multiplicity of computer resources on the at least one storage
unit, user security group subset identification functionality
operative to identify, for each of the first multiplicity of users,
a subset of the user security groups of which the user is a member,
and user subset comparison functionality operative to group a first
user and a second user in a single one of the first plurality of
groups, with respect to the at least one storage unit, if a first
subset of the user security groups of which the first user is a
member is identical to a second subset of the user security groups
of which the second user is a member.
[0027] In accordance with a further preferred embodiment of the
present invention the apparatus also includes a computer resource
dividing functionality operative to divide the second multiplicity
of computer resources into at least two portions, and wherein the
user grouping functionality is operative to group users, among the
first multiplicity of users, into the first plurality of groups
wherein all members of one of the first plurality of groups have at
least nearly identical user/resource access permissions to computer
resources included in one of the at least two portions.
[0028] In accordance with another preferred embodiment of the
present invention the computer resource dividing functionality
includes fraction calculating functionality operative, for each
user of the first multiplicity of users, to calculate a fraction of
the second multiplicity of computer resources to which the user has
access permissions, and to compare the fraction to a threshold
value, user denoting functionality operative to denote each user,
for whom the fraction is smaller than the threshold value, as a
degenerate security group, and portion defining functionality
operative to define a first portion of the second multiplicity of
computer resources to be the union of all computer resources which
include access permissions for any degenerate security group.
Preferably, computer resources in the second multiplicity of
computer resources are arranged in a computer resource
hierarchy.
[0029] In accordance with another preferred embodiment of the
present invention the computer resource grouping functionality
includes resource/user access permissions retrieval functionality
operative, for each resource in the computer resource hierarchy, to
retrieve the resource/user access permissions of the resource and
the resource/user access permissions of an immediate ancestor of
the resource in the computer resource hierarchy and resource/user
access permissions comparison functionality, operative to compare
the resource/user access permissions of the resource to the
resource/user access permissions of the immediate ancestor, and if
the resource/user access permissions of the immediate ancestor are
identical to the resource/user access permissions of the given
resource, to group the resource and the immediate ancestor in a
single one of the second plurality of groups.
[0030] In accordance with another preferred embodiment of the
present invention the resource/user access permissions comparison
functionality is operative to provide a pointer from the resource
to the immediate ancestor and to extend pointers which point to the
resource to point to the immediate ancestor.
[0031] There is additionally provided, in accordance with still
another preferred embodiment of the present invention, apparatus
for ascertaining access permissions of a first multiplicity of
users to a second multiplicity of computer resources on at least
one storage unit, the apparatus including user grouping
functionality operative to group users, among the first
multiplicity of users, into a first plurality of groups wherein all
members of at least one of the first plurality of groups have at
least nearly identical user/resource access permissions to the
second multiplicity of computer resources on the at least one
storage unit, and user access permissions ascribing functionality
operative to ascertain whether a given user is a member of one of
the first plurality of groups, and if the given user is a member of
the one of the first plurality of groups, to ascribe to the given
user the user/resource access permissions of the one of the first
plurality of groups.
[0032] In accordance with a preferred embodiment of the present
invention the user grouping functionality includes user security
group identification functionality operative to identify a
plurality of user security groups, each of the user security groups
having access permissions to at least one of the second
multiplicity of computer resources on the at least one storage
unit, user security group subset identification functionality
operative to identify, for each of the first multiplicity of users,
a subset of the user security groups of which the user is a member,
and user subset comparison functionality operative to group a first
user and a second user in a single one of the first plurality of
groups, with respect to the at least one storage unit, if a first
subset of the user security groups of which the first user is a
member is identical to a second subset of the user security groups
of which the second user is a member.
[0033] In accordance with another preferred embodiment of the
present invention the apparatus also includes a computer resource
dividing functionality operative to divide the second multiplicity
of computer resources into at least two portions, and wherein the
user grouping functionality is operative to group users, among the
first multiplicity of users, into the first plurality of groups
wherein all members of one of the first plurality of groups have at
least nearly identical user/resource access permissions to computer
resources included in one of the at least two portions. Preferably,
the computer resource dividing functionality includes fraction
calculating functionality operative, for each user of the first
multiplicity of users, to calculate a fraction of the second
multiplicity of computer resources to which the user has access
permissions, and to compare the fraction to a threshold value, user
denoting functionality operative to denote each user, for whom the
fraction is smaller than the threshold value, as a degenerate
security group, and portion defining functionality operative to
define a first portion of the second multiplicity of computer
resources to be the union of all computer resources which include
access permissions for any degenerate security group.
[0034] There is additionally provided, in accordance with an
additional preferred embodiment of the present invention, apparatus
for ascertaining access permissions of a first multiplicity of
users to a second multiplicity of computer resources on at least
one storage unit, the apparatus including computer resource
grouping functionality operative to group resources, among the
second multiplicity of computer resources, into a second plurality
of groups wherein all members of at least one of the second
plurality of groups have at least nearly identical resource/user
access permissions, and computer resource access permissions
ascribing functionality operative to ascertain whether a given
computer resource is a member of one of the second plurality of
groups, and if the given computer resource is a member of the one
of the second plurality of groups, to ascribe to the given computer
resource the resource/user access permissions of the one of the
second plurality of groups. Preferably, computer resources in the
second multiplicity of computer resources are arranged in a
computer resource hierarchy.
[0035] In accordance with a preferred embodiment of the present
invention the computer resource grouping functionality includes
resource/user access permissions retrieval functionality operative,
for each resource in the computer resource hierarchy, to retrieve
the resource/user access permissions of the resource and the
resource/user access permissions of an immediate ancestor of the
resource in the computer resource hierarchy and resource/user
access permissions comparison functionality, operative to compare
the resource/user access permissions of the resource to the
resource/user access permissions of the immediate ancestor, and if
the resource/user access permissions of the immediate ancestor are
identical to the resource/user access permissions of the resource,
to group the resource and the immediate ancestor in a single one of
the second plurality of groups.
[0036] In accordance with another preferred embodiment of the
present invention the resource/user access permissions comparison
functionality is operative to provide a pointer from the resource
to the immediate ancestor and to extend pointers which point to the
resource to point to the immediate ancestor.
BRIEF DESCRIPTION OF THE DRAWINGS
[0037] The present invention will be understood and appreciated
more fully from the following detailed description, taken in
conjunction with the drawings in which:
[0038] FIG. 1 is a simplified illustration of operation of a
preferred embodiment of the present invention in a large
organization having a large number of resources and a large number
of users;
[0039] FIG. 2 is a simplified flowchart illustrating general
methodology for ascertaining access permissions of users to
computer resources in a large organization having a large number of
resources and a large number of users in accordance with a
preferred embodiment of the present invention;
[0040] FIGS. 3A and 3B, taken together, are a simplified flowchart
illustrating methodology for grouping users in a large organization
based on their access permissions, which methodology forms part of
the methodology of FIG. 2;
[0041] FIGS. 4A and 4B, taken together, are a simplified flowchart
illustrating methodology for grouping computer resources in a large
organization based on the access permissions to the computer
resources, which methodology forms part of the methodology of FIG.
2; and
[0042] FIGS. 5A, 5B and 5C, taken together, are a simplified
flowchart illustrating methodology for computing a response to an
access permissions query, which methodology forms part of the
methodology of FIG. 2.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
[0043] Data security policies typically determine who has access to
an organization's data, which data is typically stored on various
computer systems. These policies are rarely static. This is partly
because users from within the organization, such as employees,
partners and contractors, can pose a threat to sensitive data as
severe as threats from outside the organization. Thus, as the
structure and personnel makeup of the organization change, the
security policy should be adjusted accordingly. Information
technology departments often find it difficult to manage user data
access permissions and to ensure that required information is
conveniently available, while protecting the organization's
sensitive data.
[0044] Large business organizations may operate computer systems
comprising large numbers of servers, which are often geographically
distributed. Storage elements in such systems may be accessible by
a large numbers of users. Various people associated with data
access authorizations, including information technology personnel,
operational personnel such as account managers and third party
reviewers such as legal advisors may need to routinely inquire as
to user access permissions to specific data.
[0045] Maintenance of a conventional localized or distributed
database suitable for responding to queries as to the access
permissions of any particular user or group of users, or
conversely, for responding to queries as to the access permissions
relating to a particular storage element or group of storage
elements, could overwhelm the capabilities of even the most
sophisticated database management programs currently existing.
Storage and retrieval of the data required in order to service such
queries may have an adverse affect on the storage capacities of
various servers. Additionally, execution of such queries may impact
the performance of the servers and thus may impair the overall
efficiency of the computer system. Furthermore, because processing
a response to such queries often necessitates an exhaustive
iterative search through the directories of many file servers and
their access control lists, the time for responding to such queries
becomes unacceptably long.
[0046] Access control technologies have not been optimally
implemented in systems that utilize diverse access control models.
The state of the art today is such that there is no easy way for
system administrators to know which users are authorized to access
each specific data item in such environments. As a result, in many
organizations an unacceptably high number of users have
inappropriate access permissions. A solution is also lacking for
tie related problems of redundant access permissions and of orphan
accounts belonging to personnel who no longer belong to the
organization. Hence, there is a need for improvements in
controlling user access permissions in order to improve data
security, prevent fraud, and improve company productivity.
Furthermore, misuse of data access permissions, even by authorized
users, is a concern for those charged with simplification and
automation of system security.
[0047] Referring now to FIG. 1, there is seen a schematic
representation of a large organization having a first multiplicity
of users and a second multiplicity of computer resources, such as
computer files, which may reside on many file servers. The users
and the file servers may be geographically distributed
independently of their function. In accordance with a preferred
embodiment of the present invention, a hierarchical structure of
the second multiplicity of computer resources, and/or a grouping of
the first multiplicity of users in accordance with their access
permissions with respect to computer resources residing on a
specific server, are employed when responding to access permission
queries, thereby allowing for better response times to such
queries.
[0048] With respect to a given user, the term "user/resource access
permissions" relates to a list of computer resources, located on a
specific server or storage unit, to which the given user has access
permissions. Thus, two users have identical user/resource access
permissions if, with respect to a specific server or storage unit,
both users have access permissions to an identical list of computer
resources located on that server or storage unit.
[0049] With respect to a given computer resource, the term
"resource/user access permissions" relates to a list of users with
access permissions to the given computer resource. Thus, two
computer resources have identical resource/user access permissions
if an identical list of users has access permissions to both
computer resources.
[0050] It is further appreciated that in the context of the present
invention the term "access permissions" relates to reading
permissions, writing permissions and executing permissions, or any
combination thereof. For example, a given user has access
permissions to a given resource if the user has reading permissions
to the given resource, even if the user does not have writing
permissions or executing permissions to the given resource.
[0051] In accordance with a preferred embodiment of the present
invention, as seen in FIG. 1, there is provided a method for
ascertaining access permissions of the first multiplicity of users,
indicated generally by reference numeral 102, to the second
multiplicity of computer resources, indicated generally by
reference numeral 104, on at least one storage unit, preferably a
plurality of file servers, indicated generally by reference numeral
106.
[0052] Preferably among the first multiplicity of users 102, a
first plurality of groups of users is defined, wherein all members
of each one of the first plurality of groups of users have at least
nearly identical user/resource access permissions to the computer
resources on a given file server 106.
[0053] For example, as seen in FIG. 1, personnel in the accounting
department, whether located in India, Brazil or Canada, may be
members of the same user group, here designated by the letter A.
Similarly, development engineers in the R&D department, whether
located in Spain, Brazil or India, may be members of the same user
group, here designated by the letter D.
[0054] In parallel, among the second multiplicity of computer
resources, a second plurality of groups of computer resources is
defined, wherein all members of each one of the second plurality of
groups of computer resources have at least nearly identical
resource/user access permissions, for example each computer file in
a given group is accessible by an identical or nearly identical
group of users.
[0055] For example, as seen in FIG. 1, all files relating to
accounts payable may be members of the same computer resource
group, here designated by the letter `a`. Similarly, all files
relating to development of a door may be members of the same
computer resource group, here designated by the letter `d`.
[0056] It is appreciated that all members of each user group have
at least nearly identical user/resource access permission profiles.
For example, all members of user group A have access to the
company's accounts and all members of user group D have access to
the engineering files.
[0057] Similarly, it is appreciated that all members of each
computer resource group have at least nearly identical
resource/user access permission profiles, for example all members
of computer resource group `a` are accessible by bookkeepers and
all members of computer resource group `d` are accessible by design
engineers.
[0058] In order to respond to a query or otherwise prepare a report
indicating access permission profiles for certain users or computer
resources, it is possible to quickly ascertain whether a given user
is a member of one of the first plurality of user groups, and if
so, to quickly ascribe to that given user the user/resource access
permissions of that one of the first plurality of user groups.
Similarly it is possible to quickly ascertain whether a given
computer resource is a member of one of the second plurality of
computer resource groups, and if so, to quickly ascribe to that
given computer resource the resource/user access permissions of
that one of the second plurality of computer resource groups.
[0059] Thus the time consuming iterative processing employed in the
prior art is obviated.
[0060] It is appreciated that embodiments of the invention, which
only group either users or computer resources, but not both, are
also within the scope of the present invention.
[0061] Methodology for carrying out the foregoing steps in
accordance with a preferred embodiment of the present invention
will now be described, with reference to FIG. 2.
[0062] Reference is now made to FIG. 2, which is a simplified
flowchart illustrating general methodology for ascertaining access
permissions of users to computer resources in a large organization
having a large number of resources and a large number of users in
accordance with a preferred embodiment of the present
invention.
[0063] As seen in FIG. 2, in a first preparatory stage, users in
the organization are divided into groups based on their access
permissions with respect to a given server in the organization, as
seen at step 200. Specifically, for each server, users in the
organization are divided into a plurality of user groups, wherein
users in each group have similar or preferably identical access
permissions with respect to files in the server. The methodology
for grouping the users is described in further detail hereinbelow
with reference to FIG. 3.
[0064] As seen at step 202, in a second preparatory stage, the
computer resources of the organization are grouped based on the
access permissions thereto. Specifically, in a hierarchical server
system, unless otherwise specified, a computer resource has the
same access permissions as the direct ancestor thereof. Thus,
computer resources may be grouped such that each descendant
computer resource, which has access permissions identical to those
of its ancestor computer resource, points to the access control
list of its ancestor, rather than duplicating that access control
list. The methodology for grouping the computer resources is
described in further detail hereinbelow with reference to FIG.
4.
[0065] It is appreciated that the grouping of users of step 200 and
grouping of computer resources of step 202 may be carried out in
any sequence, or in parallel, and preferably is performed
periodically, in order to account for changes in user access
permissions and/or in the hierarchical structure of the computer
resources in the organization.
[0066] In a first processing stage, which follows the preparatory
stages described hereinabove, an access permissions query is
presented, typically by a member of the organization or a
department thereof, as seen at step 204. A typical query would
comprise a subset of users and a subset of storage elements. A
response to such a query would list, for each user in the subset of
users, access permissions to each of the storage elements in the
subset of storage elements.
[0067] For example, one query may include all the users in the
organization as the user subset, and a given computer resource as
the storage element subset. A response to this query would identify
all the users who have permission to access the given computer
resource. In another example, the query may include all of the
computer resources of the organization as the storage element
subset, and a given user as the user subset. A response to this
query would identify all the storage elements, which may be
accessed by the given user.
[0068] As seen at step 206, the query is processed and a response
thereto is computed. Typically, the response to the query includes,
for each user listed in the query, a list of a sub-group of the
computer resources listed in the query to which the user has
access. The methodology for computing the response to the query is
described in further detail hereinbelow with reference to FIG. 5.
The response to the query is then forwarded to the person or patty
who presented the access permissions query, indicated as step
208.
[0069] Reference is now made to FIGS. 3A and 3B, which, when taken
together, are a simplified flowchart illustrating methodology for
grouping users in a large organization based on their access
permissions, which methodology constitutes the first preparatory
stage 200 of the methodology of FIG. 2. The goal of such grouping
is to create user groups, wherein users in a single user group have
similar, or preferably identical, access permissions with respect
to computer resources stored on a given server.
[0070] A prerequisite for the creation of such user groups is the
definition of user security groups, which is carried out prior to
first step 300 of FIG. 3A. User security groups are pre-defined by
the system administrator. Typically, user security groups
correspond to different departments within the organization. User
security groups may include, for example, an accounting user
security group, a research and development user security group,
etc. Each respective user security group includes those users who
belong to the department to which the user security group
corresponds. Users may belong to more than one user security group.
For example, the secretary of a research and development department
may belong to an administrative user security group and a research
and development user security group.
[0071] Each user security group has pre-assigned access permissions
to computer resources on a given server. An access control list for
a given computer resource is a list of user security group access
permissions to that computer resource.
[0072] As seen in FIG. 3A, a server is selected, as seen at step
300. It is appreciated that the users will be grouped only with
respect to their access permissions to computer resources residing
on the selected server.
[0073] Subsequently, the access control list for computer resources
which reside on the selected server is reviewed, in order to
extract those user security groups, and hence those users belonging
to those user security groups, with permission to access at least
some of the computer resources stored on the server, as seen at
step 302.
[0074] For any given pair of users listed belonging to any of the
extracted user security groups, the users' access permissions to
computer resources stored on the selected server are compared to
check whether they are identical with respect to all computer
resources stored on the selected server as seen at decision step
304. If both users in the pair have identical access permissions to
computer resources stored on the selected server they are assigned
to the same initial user group with respect to the selected server,
as seen at step 306. Otherwise, they are assigned to two different
initial user groups with respect to the selected server, as seen at
step 308.
[0075] These initial user groups are pre-runners of the user groups
that this methodology seeks to create. The initial user groups may
require further refinement, as described below, to arrive at the
desired final user groups. It is appreciated that two users may
have very similar access permissions on the selected server, other
than one or two specific computer resources to which their access
permissions differ. This may happen, for example, when the server
includes some users' home directories, in which case two users
could have identical access permissions to all computer resources
in the server other than the home directories, for which each user
would have access permission to his or her own specific home
directory, but would generally not have access permission to other
users' home directories.
[0076] This situation may cause the server to be grouped into many
small initial user groups or even singletons, even though there are
larger potential initial user groups with very similar, although
not identical, access permissions. As will be described
hereinbelow, this situation may be overcome by virtually dividing
the computer resources on the server into two or more virtual
servers.
[0077] Therefore, following user assignment to initial user groups
as seen in steps 304, 306 and 308, the number of resulting initial
user groups and the sizes thereof are reviewed. Preferably, the
number of initial user groups is compared to a first predetermined
threshold number, as seen at decision step 310, and the number of
singleton initial user groups is compared to a second predetermined
threshold number, as seen at decision step 312. If the number of
initial user groups does not exceed the first threshold number and
if the number of singleton initial user groups does not exceed the
second threshold number the user assignment is complete. The
initial user groups and singletons now constitute user groups, as
referred to above, specifically in reference to step 200 of FIG.
2.
[0078] Turning to FIG. 3B, it is seen that if the number of initial
user groups exceeds the first threshold number, and/or if the
number of singleton initial user groups exceeds the second
threshold number, the server is divided into two virtual servers,
as seen at step 314. In accordance with one exemplary embodiment
for carrying out such a virtual division of the server, for each
specific user or user security group, the number of computer
resources stored on the server to which the specific user or user
security group is permitted access is established, as seen at step
316. The fraction of computer resources to which the specific user
or user security group is permitted access is then calculated and
compared to a fraction threshold value, such as 1%, as seen at
decision step 318.
[0079] If the fraction of computer resources to which a specific
user or user security group is permitted access is smaller than the
fraction threshold value, the user or user security group is
denoted as a degenerate security group, as seen at step 320.
Otherwise, the user or user security group is denoted as an
important security group, as seen at step 322.
[0080] The union of computer resources including access permissions
for the degenerate security groups is defined as one virtual
server, denoted a disorganized virtual server, as seen at step 324.
The disorganized virtual server is assumed to include few computer
resources with similar access control lists and/or few users with
identical access permissions. Assignment of users to initial user
groups based on the computer resources in the disorganized virtual
server is likely to result in a large number of initial user groups
and/or singleton initial user groups and is inefficient and
therefore unnecessary.
[0081] The computer resources on the server which do not belong to
the disorganized virtual server are defined as a second virtual
server, denoted an organized virtual server, as seen at step 326.
The organized virtual server is assumed to include files with
similar access control lists, such that assignment of users to
initial user groups based on their access permissions to computer
resources in this virtual server is likely to result in a small
number of organized initial user groups.
[0082] Following the division of the server into two virtual
servers, the organized virtual server is selected as the server
with respect to which users will be assigned to initial user
groups, as seen at step 328. Subsequently, users are assigned to
initial user groups again based on their access permissions to
computer resources stored on the organized virtual server, as
described hereinabove with reference to steps 302 to 308. These
initial user groups and singleton initial user groups now
constitute user groups, as referred to above, specifically in
reference to step 200 of FIG. 2.
[0083] Reference is now made to FIGS. 4A and 4B, which, taken
together, are a simplified flowchart illustrating methodology for
grouping computer resources in a large organization based on access
permissions to the computer resources, which methodology
constitutes the second preparatory stage 202 of the methodology of
FIG. 2.
[0084] As seen in FIG. 4A, a node of the computer resource
hierarchy is selected for processing, as seen at step 400.
Preferably, the computer resource hierarchy is processed from the
leaves to the root, in which case the first nodes selected for
processing are the leaves, or nodes at the lowest level of the
computer resource hierarchy.
[0085] For the selected node, the existence of an immediate
ancestor thereof in the hierarchy is checked, as seen at decision
step 402. If the selected node does not have an immediate ancestor,
it is deduced to be the root of the hierarchy. The node is
designated as a distinct node as seen at step 404, and the process
is finished. Otherwise, the access control list of the node is
extracted as seen at step 405, and the access control list of the
immediate ancestor of the selected node is extracted as seen at
step 406. The access control lists of the selected node and of its
immediate ancestor are subsequently compared, as seen at decision
step 408.
[0086] It is appreciated that if no explicit access control list is
associated with the node being processed, the node being processed
inherits the access control list associated with the immediate
ancestor node and the process continues with step 410.
[0087] Turning to FIG. 4B, it is seen that if the access control
lists of the selected node and its immediate ancestor are the same,
a pointer, which points from the selected node to the access
control list of its immediate ancestor is added to the hierarchy,
as seen at step 410. Additionally, all pointers pointing to the
access control list of the selected node are moved to point to the
access control list of the immediate ancestor of the selected node,
as seen at step 412, and a processing indication, indicating that
the node has been processed, is added to the selected node, as seen
at step 414.
[0088] If the access control list of the selected node differs from
that of its immediate ancestor, the node is designated as a
distinct node as seen at step 416, and a processing indication,
indicating that the node has been processed, is added to the
selected node, as seen at step 418.
[0089] Subsequently, the level of the hierarchy to which the
selected node belongs is reviewed in order to determine if there
are any unprocessed nodes at that level, as seen at decision step
420. If there are any unprocessed nodes at the level of the
selected node, a new node at that level is selected as seen at step
422, and the processing of that node proceeds as described
hereinabove with reference to steps 402-418. Otherwise, a node
which is located one level higher in the hierarchy than the
selected node, such as the immediate ancestor of the selected node,
is selected, as seen at step 424, and the processing thereof
proceeds as described hereinabove with reference to steps
402-418.
[0090] Reference is now made to FIGS. 5A, 5B and 5C, which, taken
together, are a simplified flowchart illustrating methodology for
computing a response to an access permissions query, which
methodology constitutes step 206 of the methodology of FIG. 2.
[0091] As seen in FIG. 5A, a group of computer resources to be
processed is defined, as seen at step 500. When beginning to
process a query the group is typically empty and is populated
during the processing of the query.
[0092] As seen in FIG. 5A, step 501 is performed for each computer
resource included in the query, to detect all of the distinct
computer resource nodes included in the query.
[0093] As seen in step 502, for each computer resource included in
the query, it is detected whether it comprises a distinct node of
the computer resource hierarchy.
[0094] If the computer resource does comprise a distinct node of
the computer resource hierarchy, it is added to the group of
computer resources to be processed, as seen at step 504. If the
computer resource does not comprise a distinct node, the pointer
associated therewith is followed to an ancestor node that comprises
a distinct node, as seen at step 506.
[0095] At decision step 508, it is established if the computer
resource comprising the ancestor node that comprises a distinct
node has been previously added to the group of computer resources
to be processed. If the computer resource comprising the ancestor
node has been not previously added to the group of computer
resources to be processed, it is now added to the group, as seen at
step 510. If the computer resource comprising the ancestor node has
been previously added to the group of computer resources to be
processed, it is not added to the group a second time, but is
associated, in the group of computer resources to be processed,
with the currently processed computer resource, in order to enable
the provision of a complete query response, as seen at step 512.
This is typically achieved by defining a pointer which points from
the currently processed computer resource to the instance of the
distinct ancestor which is included in the group of computer
resources to be processed.
[0096] As seen at step 513, a user included in the query, whose
access permissions will now be processed, is selected.
[0097] Turning to FIG. 5B, it is seen at step 514 that a computer
resource, which is included in the group of resources to be
processed, is selected, and the physical server on which it resides
is ascertained, as seen at step 515. Subsequently, the specific
user group to which the user belongs, with respect to the server on
which the computer resource resides, is ascertained as seen at step
516. It is then checked whether, during the processing of this
computer resource, the access permissions of another user belonging
to the same specific user group have been computed, as seen at
decision step 518.
[0098] If the access permissions of another user, belonging to the
same specific user group, to the given computer resource have been
previously computed, the computed access permissions are assigned
to the present user, as seen at step 520. Otherwise, the access
permissions of the user, and/or of the user group to which the user
belongs, to the computer resource, are extracted from the access
control list associated with the computer resource, as seen at step
522.
[0099] The existence of any computer resources included in the
group which have not been processed with respect to the selected
user is subsequently checked, as seen at decision step 524.
[0100] As seen in FIG. 5C, if such a computer resource exists, that
computer resource is selected, as seen at step 526, and is
processed with respect to the selected user as described
hereinabove with reference to steps 515 to 522. If no such computer
resource exists, it is checked whether there are any users included
in the query whose access permissions have not yet been computed,
as seen at decision step 528. If such a user exists, that user is
selected, as seen at step 530, and processing of access permissions
thereof proceeds as described hereinabove with reference to steps
514 to 522.
[0101] As seen at step 532, when the access permissions for all of
the users in the query have been computed with respect to each of
the computer resources included in the group of computer resources
to be processed, a response to the query, which comprises a paired
list including a pair for each user and each computer resource
included in the original query, is generated. It is appreciated
that when generating such a query response, the results for each
computer resource which comprises a distinct node ancestor for more
than one of the computer resources included in the query are
provided multiple times, in order to provide a query response for
each computer resource included in the query.
[0102] It will be appreciated by persons skilled in the art that
the invention is not limited to what has been particularly shown
and described hereinabove. Rather the scope of the invention
includes both combinations and subcombinations of various features
described hereinabove as well as modifications of such features
which would occur to a person of ordinary skill in the art upon
reading the foregoing description and which are not in the prior
art.
* * * * *